Let's first understand,
What is ransomware and how does it work?
"Ransomware is a type of malware, or malicious software, that locks up a victim’s data by encrypting the data or computing device and threatens to keep it locked — or worse — unless the victim pays the attacker a ransom". Ransomware attack happens in stages that involve Reconnaissance, Activation, and Leaving a ransom note. In the Activation step, crypto-ransomware begins identifying and encrypting files. Most encrypting ransomware deploys asymmetric encryption, using a public key to encrypt the ransomware and retaining a private key that can decrypt data. More details can be found here: https://www.ibm.com/topics/ransomware This process of a ransomware attack is many times slow and designed to be disguising.
How IBM Storage Insight can help alert on a Potential Ransomware-like attack?
IBM Storage Insight is a cloud-based solution that provides an unparalleled level of visibility across your storage environment to help you manage complex storage infrastructures and make cost-saving decisions.
For example, IBM Storage Insights provides detailed visibility of health, configuration, performance, capacity, volume layout, etc for IBM FlashSystem arrays deployed in on-prem data centers. One of the features that are supported by IBM Storage Insight is the ability for the administrator to understand what is the data compression ratio being provided by IBM FlashSystem. This feature not only helps the storage administrator with insights on storage capacity planning and savings but also can help insight the security team for the potential ransomware-like attack.
In a typical deployment, you will have your servers/host running business applications and hosting business data on volumes or LUNS provided by backend Block Storage (like IBM FlashSystem). Every data input on the servers is eventually compressed by IBM FlashSystem at the storage controller level. These compression levels can be observed by the administrators on IBM Storage Insights. Now, the key aspect to understand is that ransomware attack slowly encrypts the data on the compromised host/server. When any data is encrypted, the ability to compress that data dramatically reduces. So with IBM Storage Insights, one can configure alters for specific pools/volumes of IBM FlashSystem such that when the compression ratio changes by a given threshold, it will raise an alert. These alerts can be fed to the Security team who can cross-examine the host on which the volumes are mounted for any suspicious activity and likewise take rapid mitigation and preventive actions.
Here is a quick video that demonstrates this IBM Storage Insight feature:
At times the alert could be a false positive in cases where the workload on the server has changed because of which the compression ratio has changed, but in other cases, it will the alerts will prove very handy for the security team to identify a potential ransomware attack and eventually help to mitigate the business risk.
Note: The ransomware insight provided by IBM Storage Insight is to be considered complementary to existing security solutions for ransomware with the intention that the insights help take the security posture to the next level. It is not to be treated as stand-alone anti-ransomware software.
Link to Storage Insight: https://www.ibm.com/products/analytics-driven-data-management